So i have setup a destination nat to route traffic from public ip 98.137.11.164 directly to a private ip 192.168.10.111 and works fine
Now i want to restrict traffic so that only my internet public ip 172.217.14.174 can access this destination nat public ip
but it is not working, am not sure what else i need to do or why this is not so straight forward

Here is what i have as firewall rule, i even moved it to the very top of all firewall rules
but i can access the destination nat public ip by anyone on internet still

172.217.14.174 is my internet public ip, only this ip should be allowed, others DROP
98.137.11.164 is destination nat public ip which routes to local ip 192.168.10.111

chain: input
src address: !172.217.14.174
dst address: 98.137.11.164
action: drop

this rule does not work, so why is it not working?

I only hope the IP addresses are not real IP adresses that you use/have.

Never ever put real IP on the internet unless you like to receive many 'visitors'!

The one that going to snitch on you...Users browsing this forum: Ahrefs [Bot], Baidu [Spider],etc. mentioned at the bottom of the page.

Because chain=input has nothing to do with it, connections to forwarded ports go in chain=forward. And if you want it for only one address, you can do it directly in dstnat rule, e.g.:

I only hope the IP addresses are not real IP adresses that you use/have.

Never ever put real IP on the internet unless you like to receive many 'visitors'!

The one that going to snitch on you...Users browsing this forum: Ahrefs [Bot], Baidu [Spider],etc. mentioned at the bottom of the page.

lol, ofcourse those are google and yahoo ips!!!

Because chain=input has nothing to do with it, connections to forwarded ports go in chain=forward. And if you want it for only one address, you can do it directly in dstnat rule, e.g.:

Code: Select all

/ip firewall nat
add chain=dstnat dst-address=98.x.x.x src-address=172.x.x.x <conditions for protocol and port if you're not forwarding everything> action=dst-nat to-addresses=192.168.10.111

I want to separate the NAT rules from firewall rules
So how do i do this with firewall rules?
Better to separate them, so that way i make management easy for me

Main part is to use correct chain (forward instead of input), correct addresses (forward no longer sees original destination, but 192.168.10.111), then if you want to do it properly, you need to do it only for dstnatted connections, otherwise it may block (depends on your other rules) also connections from internal server to that external address (if you ever wanted that). So something like:
I find the way with limited dstnat rule simpler and easier to understand, but it's up to you.

I only hope the IP addresses are not real IP adresses that you use/have.

Never ever put real IP on the internet unless you like to receive many 'visitors'!

The one that going to snitch on you...Users browsing this forum: Ahrefs [Bot], Baidu [Spider],etc. mentioned at the bottom of the page.

lol, ofcourse those are google and yahoo ips!!!

Nice going, Yahoo and Google will be pleased that they earn even more money from all those 'visitors'.

Main part is to use correct chain (forward instead of input), correct addresses (forward no longer sees original destination, but 192.168.10.111), then if you want to do it properly, you need to do it only for dstnatted connections, otherwise it may block (depends on your other rules) also connections from internal server to that external address (if you ever wanted that). So something like:

Code: Select all

/ip firewall filter
add chain=forward src-address=!172.x.x.x dst-address=192.168.10.111 connection-state=dstnat action=drop

I find the way with limited dstnat rule simpler and easier to understand, but it's up to you.

I tried forward also, the firewall rule does not work at all
i can access from anywhere still

i also tried what you have and added the connection NAT state to dstnat and does not work
but even the bigger rule without additional connection NAT state does not work

why is not working is my question? because this is an issue then because this is a simple rule that one should expect should work like 1, 2, 3

Other rules. If this one doesn't block it, some other rule before this one already allowed it.

Other rules. If this one doesn't block it, some other rule before this one already allowed it.

I have this rule at the very top of firewall rules, i only have 3 rules in there, so not much
and the 2 other rules just allow traffic from one public ip to/fro another public ip via input and output chains, which works fine

yeah the whole thing is just weird, it looks so simple but i can access this ip from anywhere still

Code: Select all

/ip firewall filter
add chain=forward src-address=!172.x.x.x dst-address=192.168.10.111 connection-state=dstnat action=drop

Ok now it blocks everyone including the public i need it not block
seems i missed the private ip in dst address, i thought that was the public ip
I really want to separate the NAT and firewall rules that is why
So i know NAT is for NAT and firewall rules are for the firewall rules
May not be generally easier, but for me it is


One other question, why is it that the first rule i had did not work?



172.217.14.174 is my internet public ip, only this ip should be allowed, others DROP
98.137.11.164 is destination nat public ip which routes to local ip 192.168.10.111

chain: input
src address: !172.217.14.174
dst address: 98.137.11.164
action: drop

Input chain is only for traffic to router itself, to server running on router, e.g. when you're connecting to router with WinBox or use WebFig. Traffic passing through router and going somewhere else uses forward chain.

And if I understood correctly that your whole firewall consists of only three rules including this one, there's no way it could be secure or correct.

Input chain is only for traffic to router itself, to server running on router, e.g. when you're connecting to router with WinBox or use WebFig. Traffic passing through router and going somewhere else uses forward chain.

And if I understood correctly that your whole firewall consists of only three rules including this one, there's no way it could be secure or correct.

Yeah just 3 rules, am still learning here but know a lot already
What rules do i need to be better secured?

Since default action is accept, i.e. if you don't block something, it's allowed, it's very likely that you have everything wide open to whole world.

Check this thread, it's rather long, so at least the example at the beginning (point 1). The idea is to use stateful firewall to allow packets for already established connections, drop packets seen by connection tracking as invalid, then the rest is new connections, so allow what should pass, and finally block the rest. It's not the only way, but to me it seems simple and easy to understand.

Yeah will have to focus on firewall for next 1 week before going PROD
I kind of have similar setup on my current Juniper SRX240 router also, and had it wide open too for like 8 years
But want a more security focused setup now
Will read up and work more on the firewall side now

Will post questions i have later
Thanks

It's not that keeping things open must inevitably bring troubles. At first sight, why couldn't e.g. WinBox be accessible, if you have strong password, perhaps you even do some rate limiting for new connections, etc. There's practically zero chance that anyone would get in by bruteforcing it. And then something like this happens. Nasty bug where one connection is enough. So it's safer to be a bit paranoid.

Dear community,

since my question is related to firewall issues, i set my question here instead of creating new topic. I would like to kindly ask you for assistance :

I recently switched from "hap ac" to "rb4011". The device was configured by myself, used in same place - with same clients and options as previous hap ac. Im struggling with Firewall function, however i had the same rules set on previous device, running without any problems.
We are talking only about 3+1 rules. Blocking internet connection for specific devices (created address list), blocking DNS request for the same devices-same address list, and KidControl for one device. None of those rules are "catching" any datas, packets. For the "blocklist" stays traffic always as "0 bytes-packets" and also the KidControl "device" does the same = no IP address visible under added device, no packets captured even if the device is used, KidControl not working. Normally under KidControl "device" tab was all my devices in network visible, i could grab and "save" any of them to apply the rule. This list has now only 1 entry added manually by myself, no devices are discovered. As i mentioned, i was using those rules for 2years under same conditions in hap ac. It is for sure some configuration fault, which i made during setup, but i have no idea what can affect the traffic in way, that isnt filtered by rules.

My configuration is pretty basic :
- only one subnet/DHCP is used
- all devices used in firewall rules has fixed IPs, are visible under DHCP lease, traffic is visible
- using latest ROS
- no other network device, DHCP server is present in this network
- no VLANs used
- internet connection is established via PPPoE from ether1, where ISP ONT is connected

Print from my firewall rules. The address list for blocking is called "block"

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp src-address-list=block
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp src-address-list=block
add action=drop chain=forward in-interface-list=WAN src-address-list=block
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip kid-control device
add mac-address=30:74:67:F3:6D:07 name="Samsung Galaxy A52" user="Kid Control"

Thank you very much !

If firewall rules you posted (and I quoted below) are indeed all of them ... then no wonder it doesn't work for you. I highlited the rule which makes me think you've had many more rules on your old device ... it refers to kid-control firewall chain ... which doesn't exist in shown config.

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp src-address-list=block
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp src-address-list=block
add action=drop chain=forward in-interface-list=WAN src-address-list=block
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control

If I were you, I'd take this router off-line imediately and rework the config. This time keeping as much default setup as possible and only add what's necessary.

@mkx - Thank you very much for your reply. I have no other firewall rules, only the posted ones. The KidControl rule appears dynamically, if i set the rule to "ON" or "Resume", so if i would block the connection of my childrens device. Otherwise it is empty. But also the previous rules for blocking my IoT devices from connection are not working here :/ Maybe the order is confusing you, which was done by me as a try to get work the previous ones, but it didnt helped... Normally is the KidControl on first position.
The configuration was done exactly like that. Configured from scratch, only the needed options. The additional part are only those 3rules rules. I dont understand why should i take it offline immediately.........

@anav - Thank you for your reply !
Exactly as you described. Im here ONLY to kindly ask for assistance about 4 mentioned items in my firewall, and nothing else ! But this forum behaves as usually, as its well known Im not interested with "support" like this anymore

The configuration was done exactly like that. Configured from scratch, only the needed options. The additional part are only those 3rules rules. I dont understand why should i take it offline immediately.........

So what is the posted config: complete config or "additional part"? If the former, then your router is pretty much wide open to the attacks from internet.

If the later, I'll paraphrase a sentence, posted recently in another thread: how can you know what to take out if you didn't know what to put in? In other words: whole setup in ROS is interleaved and if you don't show us the whole of it, we can't get the big picture and we can't help you. In essence you're wasting our time. Since you're asking for hell and we're the kind volunterrs trying to help you, you should at least respect our attempts.

@mkx - Thank you for your feedback !

The posted config is the full config of my FW rules. KidControl is on last position just because of my attempts to make first three work... I dont have any FW rules, because my router is behind ISP ONT device with Dynamic IP changing couple of times per day, no ports on my router are opened-forwarded, and im charged monthly by ISP for "secure connection (whatever it means)" besides costs for fibre internet. I am connected like this to the web on two different locations for 7 / 3years without issues. My only connection from outside is via Zerotier (just because SmartHome control). Just to clarify, i dont say that any additional security is not welcome from my side, but i never had configured anything additional. Was not needed, had never troubles, and honestly i cant do that correctly. I was able on my previous router to block mentioned DNS requests and internet connection with same config for couple of devices from my network with those rules (only to avoid connecting IoT devices to cloud services, since im using them locally and they cant "talk" simoutaneusly to two destinations) and KidControl to have a magic weapon against my children Those are actually my goals only, to get back the "block" functionality.
If im wasting your time, please feel free to scroll further and please ignore my question. Im also pissed off, if somebody-something steals my time, of course. Since my lack of deeper knowledge here is a fact, i wasted lot of time to try searching for solution, documentations, made attemps to achieve my goal. Since i still failed, i made a last try here. The request was aimed for somebody, who can spend bit time and knowledges providing some assistance without feeling of waisting it.

Thank you !